Friday, the 20th of December 2024
The ICO has stated that Fingerprinting is not a fair means of tracking.
Google, however, announced to organisations that it will no longer prohibit them from employing fingerprinting techniques for advertising products from February 2025. This is concerning, as Fingerprinting relies on signals that a user cannot easily wipe. Even if users ‘clear all site data’, the organisation using fingerprinting techniques could immediately identify them again. This is not transparent and cannot easily be controlled. Moreover, Fingerprinting is harder for browsers to block and therefore even privacy-conscious users will find this difficult to stop.
The ICO will engage with Google to discuss this turn of events closer to the New Year.
Fingerprinting involves the collection of pieces of information about a device’s software or hardware, which, when combined, can uniquely identify a particular device and user. It is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected.
---
Dutch Data Protection Authority (Dutch DPA) is imposing a fine of 4.75 million euro on the streaming service Netflix for not providing customers sufficient information about what the company did with their personal data between 2018 and 2020.
This comes as a result of NOYB's complaint against Netflix in January 2019. According to the sources, Netflix was too vague to communicate for what exact purpose the data was processed or provide information about the countries in which the data is stored and how long it is stored for. Additionally, they were not able to adequately respond to one user's subject access request.
---
The Irish Data Protection Authority (DPA) requested an opinion on the use of personal data for the development and deployment of AI models with a view to seeking Europe-wide regulatory harmonisation. The EDPB released its opinion today.
The opinion looks at:
1) when and how AI models can be considered anonymous
2) whether and how legitimate interest can be used as a legal basis for developing or using AI models
3) what happens if an AI model is developed using personal data that was processed unlawfully
---
Earlier this month, the federal appeals court rejected TikTok's appeal for a "modest delay" to the enforcement of its ban. A law passed earlier this year states TikTok will be banned unless it is sold by its Chinese parent company, ByteDance, before 19 January, due to allegations of data sharing between ByteDance and the Chinese government.
According to the BBC, Trump met the CEO Shou Zi Chew at his Mar-a-Lago estate in Florida this week to discuss this case. Although Trump was in favour of a TikTok ban in his first term, he has since reevaluated his position on the matter.
TikTok is "one of the most significant speech platforms" in the US, and both its ban, sale, or continued presence in the US will have major consequences for the US population.
---
Meta has agreed to a $31.85 million settlement, closing a long, expensive legal battle over the Cambridge Analytica scandal.
Cambridge Analytica, a British consulting firm, had illegally kept personal data of millions of Facebook users without their permission, before using the data predominantly for political advertising. This was first reported by in early 2018, and Facebook received fines from regulators in the United States and the UK in 2019. Australia's privacy regulator has been caught up in the legal battle with Meta since 2020.
"Today's settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia," the Australian Information Commissioner Elizabeth Tydd said.
---
Under the Environmental Information Regulations (EIR), water companies in the UK have a legal obligation to publish information about the environment. Many of the water companies in the UK have not been compliant and have been the subject of numerous complaints to the ICO.
The ICO has published a case study today, the 16th of December 2024, on Yorkshire water, demonstrating how challenges in publishing environmental data can be overcome and the benefits of publishing frequently the requested information.
Earlier this year, the ICO wrote to 12 water companies, urging them to put transparency first, but so far only two companies have committed to publishing this information each month. People have a right to information about their surrounding environment, and the ICO strongly urges companies to take this into account immediately.
---
Stephen Almond, the ICO's executive director of regulatory risk, has issued a statement where he calls on the Generative AI developers to be more transparent in telling people how their personal data is used.
The ICO has found a serious lack of transparency, especially in relation to training data within the AI industry, which can negatively impact the public’s trust in AI. Mr Almond claims that there is no excuse for generative AI developers not to embed data protection by design into products from the start.
The ICO has ample resources for all developers to make sure that AI training is done in a safe and responsible way.
---
Breathe Services Ltd (BSL), a debt advice company, was fined £170,000 for making over 4 million unlawful direct marketing calls - it was found the BSL had spoofed its outbound phone number by presenting over 1,000 different telephone numbers on calls. In March 2023 the ICO carried out a search at BSL’s office in Bolton, seizing evidence including documents and electronic devices.
Money Bubble Ltd (MBL), is a financial advice company based in Oldham. Between October – November 2022, the company made 168,852 spam calls. MBL did not provide evidence that anyone whose number had been called had consented to receiving calls from the company. The ICO has issued a £120,000 fine.
This should be a sobering reminder for companies to make sure that they have a lawful basis when considering direct marketing techniques.
---
Mr Manjra, 44, led a team dealing with accident claims for Markerstudy Insurance Services Limited (MISL) which was based in Manchester. The insurers became suspicious due to the higher than normal number of claims being processed. Manjra was contracted to work Monday to Friday but when MISL reviewed its systems it discovered Manjra was unlawfully accessing over 32,000 policies during weekends, when he was not expected to work and was not claiming overtime.
An ICO investigation, which included a search of Manjra’s home, found he was sending details of personal data he had accessed by mobile phone to another person.
Manjra was sentenced at Manchester Crown Court on Wednesday 11 November to a six month prison sentence, suspended for two years, and ordered to complete 150 hours of unpaid work.
---
The US government passed a law recently demanding TikTok's sale or banning it in the country because of links to the Chinese state. TikTok said it would appeal to the Supreme Court and has asked for an emergency injunction to prevent it becoming unavailable in the US next month and to give the Supreme Court more time to consider the matter.
Trump has previously said he would overturn the law and "save TikTok" from a ban.
---
The ICO has taken action against four public authorities for failing to meet their obligations under the Freedom of Information Act (FOIA).
These include:
- City of London Police
- Staffordshire Police
- Dorset Police
- Goldsmiths, University of London
It is important for public authorities to remain compliant where personal data is concerned, and to make sure that provide timely responses to people about their information rights requests.
---
Doorstep Dispensaree, which supplied medicine to care homes, came to the ICO's attention in December 2019 when the Medicines and Healthcare Products Agency reported the company after it seized unlocked crates of sensitive personal information stored in publicly accessible premises. Following an investigation the Commissioner issued an Enforcement Notice in 2019.
Doorstep Dispensaree's appeal against ICO's decision was rejected by the Court of Appeals. Today’s Judgment follows a hearing that took place on 21 November 2024.
---
On the 8th of December 2024 the updated Product Liability Directive came into force - it adapts the EU’s liability rules for new technologies such as AI companies. The Directive ensures that victims can claim compensation from manufacturers when they suffer damage caused by a defective product. The update was made to ensure that there is victim protection in place from new, developing technologies.
This directive is based on 2 main principles:
- the manufacturer has to compensate the damage caused by a defective product
- the victim has to prove the product’s defectiveness, the damage that was caused and establish that this defectiveness was the cause of the damage
Companies that employ AI will have a big incentives to train their staff to handle AI safely to meet evolving safety expectations.
---
On the 4th of December 2024, the EDPB issued a statement about the European Commission's report on the application of the GDPR.
In the statement, the EDPB underlines the importance of creating legal certainty and harmony across various data protection laws: the GDPR, the AI Act, the EU Data Strategy and the Digital Services Package.
It was also announced that the EDPB will produce more content for non-experts, such as small and medium-sized businesses. Finally, with increasingly complex challenges in the emerging data sphere, the statement highlights the need for additional financial and human resources to help Supervisory Authorities and the EDPB.
---
According to the BBC, regulation expert Dr Maria Luisa Stasi is accusing Microsoft of overcharging businesses for using its Window Server software, used in cloud computing. This case is on an "opt-out" basis - meaning UK organizations are all being represented to begin with unless they wish not to be.
Cloud computing is a vital part of how businesses operate in the UK, and many of them are dependent on Microsoft's Azure platform, or alternatives like Amazon or Google. Google has accused Microsoft of violating anti-competitive laws: "We believe Microsoft’s licensing practices both raise rivals’ costs and weaken rivals’ ability to compete for a significant proportion of customer demand."
---
On the 3rd of December 2024, the EDPB also clarified rules on how Supervisory Authorities should proceed when faced with a demand to share personal data about an individual to a third country. View the document below for an in-depth dive into the legal bases, safeguards, and the overall detailed exploration of Article 48 of the GDPR.
